You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by "Vahid Hashemian (JIRA)" <ji...@apache.org> on 2017/05/26 23:45:04 UTC
[jira] [Created] (KAFKA-5336) The required ACL permission for
ListGroup is invalid
Vahid Hashemian created KAFKA-5336:
--------------------------------------
Summary: The required ACL permission for ListGroup is invalid
Key: KAFKA-5336
URL: https://issues.apache.org/jira/browse/KAFKA-5336
Project: Kafka
Issue Type: Bug
Components: security
Affects Versions: 0.10.2.1
Reporter: Vahid Hashemian
Assignee: Vahid Hashemian
Priority: Minor
The {{ListGroup}} API authorizes requests with _Describe_ access to the cluster resource:
{code}
def handleListGroupsRequest(request: RequestChannel.Request) {
if (!authorize(request.session, Describe, Resource.ClusterResource)) {
sendResponseMaybeThrottle(request, requestThrottleMs =>
ListGroupsResponse.fromError(requestThrottleMs, Errors.CLUSTER_AUTHORIZATION_FAILED))
} else {
...
{code}
However, the list of operations (or permissions) allowed for the cluster resource does not include _Describe_:
{code}
val ResourceTypeToValidOperations = Map[ResourceType, Set[Operation]] (
...
Cluster -> Set(Create, ClusterAction, DescribeConfigs, AlterConfigs, IdempotentWrite, All),
...
)
{code}
Only a user with _All_ cluster permission can successfully call the {{ListGroup}} API. No other permission (not even any combination that does not include _All_) would let user use this API.
The bug could be as simple as a typo in the API handler. Though it's not obvious what actual permission was meant to be used there (perhaps _DescribeConfigs_?)
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)